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Abstract 

Efficient information reconciliation is crucial in several scenarios, being quantum key distribution a 
remarkable example. However, efficiency is not the only requirement for determining the quality of the 
information reconciliation process. In some of these scenarios we find other relevant parameters such 
as the interactivity or the adaptability to different channel statistics. We propose an interactive protocol 
for information reconciliation based on low-density parity-check codes. The coding rate is adapted in 
real time by using simultaneously puncturing and shortening strategies, allowing it to cover a predefined 
error rate range with just a single code. The efficiency of the information reconciliation process using 
the proposed protocol is considerably better than the efficiency of its non-interactive version. 

I. Introduction 

Since the publication of the first quantum protocol, more than 25 years ago, quantum key distribution 
(QKD) m has evolved into a functional and commercial technology, and nowadays it is already possible 
to find commercial QKD systems by several manufacturers. A QKD system is used to create secret keys 
between two parties connected through a quantum channel, i.e. for instance an optic fibre. However, this 
technology is still far from reaching its real potential due to the lack of suitable developments in some of 
its fundamental processes, such as error correction. In a QKD protocol, error correction is included within 
a broader process known as secret key distillation |2]. In this process, error correction is a procedure 
used to reconcile discrepancies between two bit sequences, for this reason this procedure is known as 
information reconciliation. In order to accomplish it, the parties must exchange additional information 
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Fig. 1. Source coding with side information for one-way reconciliation. 

over a public but authenticated channel: it can be read but not modified by an hypothetical eavesdropper. 
Since the information exchanged for reconciliation provides information about the key, the parties must 
agree on an additional procedure, called privacy amplification 131, used to reduce the information that 
may have been derived by any eavesdropper. An optimal reconciliation procedure provides the minimum 
information required for correcting the discrepancies between two sequences, minimising the key material 
that must be discarded during the privacy amplification, therefore maximising the final secret-key length. 

One of the first methods proposed for correcting errors in a QKD system was Cascade El. Currently, 
it is probably the most widely used procedure for this purpose in QKD, due to its simplicity and 
relatively good efficiency (see Fig. O. However, Cascade is a highly interactive process that requires 
many communication rounds. The parties have to exchange a large number of messages where parities 
of different blocks and subblocks of a key are published. 

A better alternative for error correction in QKD systems is provided by other strategies such as low- 
density parity-check (LDPC) codes. These codes were introduced by Gallager in the early 60s Q, 
and recently several proposals have emerged for using LDPC codes in the information reconciliation 
process ||6l, Q. In this paper we propose a new protocol for error correction using rate adaptive LDPC 
codes. The protocol is able to correct errors within a known error rate range, iteratively transmitting more 
symbols in order to minimise the information transmitted for correction. 

The paper is organised as follows: First, in section JIJ it is described the problem of information 
reconciliation in the secret-key agreement context. Then, in section JIIJ a new protocol is proposed 
to improve the reconciliation process using interactive communication between the parties. Finally, in 
section |IVJ results with this new protocol are shown. These results are also compared with two different 
approaches: a similar proposal using rate adaptive codes but without interactive communication, and the 
simplest approach using LDPC codes without rate modulation. 
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II. Information Reconciliation 

The problem of information reconciliation, when only one-way transmissions are allowed, can be 
modelled by the more general problem of source coding with side information. In this section we 
describe this more general approach, and are reviewed those techniques used to adapt LDPC codes 
in the information reconciliation context. 

A. Source Coding with Side Information 

Let X and Y be two discrete random variables representing two correlated sources, and let X" and 
y" be two correlated sequences obtained from both sources respectively. Assuming that these sources 
are separated into two legitimate parties: Alice and Bob. Information reconciliation allows Bob to recover 
X" with the help of and sending M messages over a lossless channel. In the source coding with side 
information description, one of the parties encode the sequence X^, and the other recovers X" using the 
information provided by the encoded sequence and with help of side information Y"-, such that X"- = X"- 
with high probability. The minimum rate for encoding the source X in order to get X = X with the 
side information provided by Y was determined by Slepian-Wolf to be H(X\Y) [8| (see Fig. [T|l. Both 
problems, information reconciliation and source coding with side information, are equivalent if only one- 
way transmissions are allowed, and H{X\Y) is the minimum rate that could be used in a reconciliation 
protocol. However, even though the problem is formally different, an interactive reconciliation process 
shares the same lower bound [91. Thus the reconciliation efficiency, /, for both one-way and interactive 
protocols can be defined by: 
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In the quantum cryptography context information reconciliation arise after the basis reconciliation 
process, this is when both parties of a QKD system, Alice and Bob, share a raw key with discrepancies 
that should be removed by following a key distillation process. In most of QKD protocols, e.g. BB84 lITOl 
or SARG 111], these discrepancies are uncorrected and symmetric, such that they can be interpreted as 
errors in a communication made through a binary symmetric channel (BSC). 

B. LDPC Codes and Syndrome Decoding 

LDPC codes are known to achieve coding rates near the capacity of several channels under belief 
propagation decoding [|12il . It has been also shown that these codes can be used to encode near the 
theoretical limit for source coding with side information |fT3l . A modified decoder was proposed for 
syndrome decoding and applying the bin approach by Wyner |[T4l . The use of LDPC codes for encoding 
correlated sources was later formalised |[T5l . 

Following this exposition, information reconciliation can be solved for many QKD protocols by using 
good LDPC codes for the BSC. This problem has been already addressed, and good families of these 
codes have been found for different coding rates However, an LDPC code is constructed for a fixed 
coding rate. In consequence, in those scenarios of varying characteristics, such as QKD, if the parties do 
not share a suitable number of codes, the efficiency curve shows a saw behaviour (see Fig. In order 
to solve this behaviour, in the next section we describe a new protocol able to adapt the coding rate of 
an LDPC code, minimising the information revealed for reconciliation. 

III. Protocol 

A. Rateless Coding 

Puncturing and shortening are two suitable strategies able to adapt the rate of a channel code as we 
have already shown in a previous work |7|. When p punctured symbols of a codeword are removed, 
a [n, k] code is converted into a [n — p, k] code (see Fig. [2al). Whereas, when shortening, s symbols 
are removed during the encoding process, and a [n, k] code is converted into a [n — s,k — s] code (see 
Fig. |2bl). 

Supposing that Rq is the original coding rate of a family of LDPC codes defined by: 
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i?o = 1 - (2) 

2^ Pi/ 3 

where Aj and pi are the coefficients of their generating polynomials. This rate can be modulated applying 
puncturing and shortening procedures as defined below. The modulated rate is then calculated as: 

R= = "^'-^ (3) 

n — p — s 1 — IT — a 

where tt = p/n and a = s/n are the ratios of punctured symbols and shortened symbols respectively. 

Both strategies, puncturing and shortening, may be applied in an isolated way in order to increase 
or decrease the coding rate respectively. However, we propose the use of both strategies simultaneously 
defining a new constant parameter, 5 = tt + a. This proposal is based primarily on two reasons: 

1) Applying the same proportion of puncturing and shortening in every modulation. In consequence, 
regardless of the coding rate, the key length that can be corrected using the modulated code is 
known in advance. 

2) As it is discussed in the next section, the use of puncturing and shortening simultaneously allow 
us to modify a previously modulated code in order to decrease the coding rate and to repeat an 
unsatisfactory correction process. 

The efficiency, defined in Eq. [TJ of the modulated code depends on the coding rate and the ratio 5 of 
puncturing and shortening as shown in Fig. [3] 

B. Interactive Reconciliation 

The process of adapting the coding rate of an LDPC code is usually done with a previous estimate 
of the error rate to be corrected, this estimation is traditionally carried out by exchanging a sample of 
the sequence on the public channel. We propose here a new protocol for information reconciliation with 
LDPC codes that does not require to estimate the error rate. The protocol is based on syndrome coding, 
but adding a new functionality: feedback information about the success of the decoding process (see 
Fig. |4]). With this feedback the original one-way approach becomes an interactive protocol, as described 
below, with more flexibility in order to correct optimally a range of error rates. The protocol is blind 
in the sense that it is able to adapt to different channel configurations without a prior estimate and, the 
reconciliation is successful as long as the channel's characteristics are within a pre-established range. 

The protocol is described by the following three steps: 
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Fig. 3. Efficiency of Cascade I?) and efficiency thresholds of LDPC codes with rate modulation for an error rate from 2% to 
10%. The range is representative of good to very bad quantum channels for the QKD case. Efficiencies have been calculated, 
using the expression defined in Eq. [T] for three different codes with rates _Ro: 0.5, 0.6 and 0.7. Two 5 values, 0.1 and 0.05, 
have been used for the rate modulation of these codes. An additional 5 — 0.5 has been used with Ro — 0.5 covering the entire 
error rate range. The curves show how the efficiency of the LDPC code depends on the ratio of puncturing and shortening, 5, 
and the original coding rate, _Ro- Higher 5 values imply a bigger range of coding rates covered, unfortunately the efficiency 
drops for high values of S f 161. The efficiency drop increases for simultaneous use of high 5 values with high coding rates. 
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Fig. 4. Source coding with side information and feedback. 
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Step 0) Raw Key Exchange: Initially it is assumed that two sources, X and Y, generate two correlated 
symbol sequences, x and y belonging to AUce and Bob respectively. Moreover, it is also supposed 
that the two symbol sequences have discrepancies within a bounded error rate range, [cq, ei]. From this 
hypothesis, Alice and Bob can choose an LDPC code with an information rate aimed to correct an 
intermediate point in the interval. Depending on the range and the efficiency target, the parties agree on 
a d value to cover the entire range of required coding rates. 

-Rmin = ^_ ^ < R < Y^~S ~ 

such that i?min < 1 — ^2(^1) and iimax ^ 1 — ^2(^0) » where /i2 is the binary Shannon entropy. 

As initial coding rate is chosen the highest value, R = Rmax, such that all symbols used to modulate 
the rate correspond to a punctured symbol, i.e. 6 = tt and a = 0. In this case the protocol provides the 
minimum amount of information. 

Step 1 ) Encoding: Once it has been estabUshed a value for the coding rate, both parties compute the 
number of symbols to be punctured and shortened, p and s respectively: 

s = \{Ro - R{1 - 6)) n] 

(5) 

p = lSn\ — s 

The first time this step is run, Alice randomly chooses the symbols to be punctured — there are no 
shortened symbols in the first round — , and set them with random values. Once AUce knows which 
positions correspond with punctured symbols, and their values, she calculates the syndrome (compressed 
information), z = xiJ*, and sends it to Bob along with their positions. 

In subsequent runs of this step, AUce chooses randomly a preestablished proportion of punctured 
symbols that will be converted to shortened symbols and transmits to Bob their positions and values. The 
proportion of converted symbols in each round must be agreed by both parties at the beginning of the 
protocol, and it depends on the maximum number of rounds that is allowed and the desired efficiency. 

Step 2) Decoding: Bob uses his correlated sequence, y, and the information provided by punctured 
and shortened symbols as starting point to find a sequence with a syndrome that matches the syndrome 
received from AUce, z. The protocol is successfully concluded in this step when Bob decodes a word 
matching the syndrome received. Otherwise, if the decoding process is stopped because the maximum 
number of pre-set iterations has been reached, then Bob agrees with AUce a decrease in the coding rate, 
if possible, and they return to the previous Step 1 . 
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Fig. 5. Example of a complete execution of the interactive protocol. The example shows how the symbols of an initial sequence 
are distributed in different positions of a codeword. The remaining positions of the codeword are initially marked as punctured 
symbols. In each round, the protocol replaces a proportion of punctured symbols with shortened symbols, thus reducing the 
coding rate. 



The protocol fails if the coding rate takes its minimum value and decoding is unsuccessful, i.e. R = 
{Rq — 6)/{1 — 6), which happens for 6 = a and vr = 0. 

A graphic description of this protocol is shown in Fig. |5] The figure illustrates an example showing 
three executing rounds. 

Different executions of the proposed protocol may conclude with different ratios for puncturing and 
shortening, vr and a respectively, i.e. different protocol executions reconcile the original sequences with 
different efficiencies. Efficiency for a single protocol execution is defined in Eq. \T\ the efficiency of this 
protocol can be measured by taking an average value. Puncturing and shortening ratios are then calculated 
by: 

M M 
i=l i=l 

where M is the number of executions. The average efficiency is then calculated as: 

? ^ __}^ Rq-^ ^ 1- Rq-tt 

^~h2{e) {l-5)h2{e)~ {l-5)h2ie) 

where e is the crossover probability that has been corrected. 
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TABLE I 

Proportion and number of punctured and shortened symbols, and modulated rate per round. 



Round 


5 




a* 


P 


s 


-Ro 


R 





0.1 


1.00 


0.00 


20000 





0.6 


0.67 


1 


0.1 


0.83 


0.17 


16666 


3334 


0.6 


0.65 


2 


0.1 


0.67 


0.33 


13332 


6668 


0.6 


0.63 


3 


0.1 


0.50 


0.50 


9999 


10001 


0.6 


0.61 


4 


0.1 


0.33 


0.67 


6666 


13334 


0.6 


0.59 


5 


0.1 


0.17 


0.83 


3333 


16667 


0.6 


0.57 


6 


0.1 


0.00 


1.00 





20000 


0.6 


0.56 



Let Q be the maximum number of rounds, the efficiency value in an isolated execution is increased in 
each round by a constant factor, e, that depends on the proportion of new shortened symbols, q = 6/Q 
such that vTj+i = ttj — q and (Jj+i = aj + q. The efficiency of an execution that concludes in the round 
j can be also calculated by fj = /o + je, where: 

^ l-R^-5 ^ q 

^° {l-6)h2{e)' ' (l-<5)/i2(e) 

IV. Results 

In order to produce a representative set of simulations that demonstrate the operation of the proposed 
protocol, we decided to build a single LDPC code of length n = 2 x 10^ and rate Rq = 0.6 using a family 
of codes proposed by Elkouss ^ for the BSC. The code, with a puncturing and shortening proportion of 
5 = O.l, is able to modulate coding rates from i^min = 0.56 to i?max = 0.67, i.e. it is possible to construct 
codes for correcting error rates in an approximate range from 6% to 9%. Table |I] shows the proportion 
and number of punctured and shortened symbols in each round, assuming that only a maximum of seven 
rounds can be executed. For convenience, the proportions of punctured and shortened symbols has been 
normalised to 1, such that vr = 6tt* and a = 5a*. 

Table |ll] shows the average number of rounds, N, needed for correcting different error rates using a 
previously constructed LDPC code. The table also includes the average number of punctured symbols, 
p, and the average number of shortened symbols, s, that have been used in the last round of the 
correction process. From the average number of punctured and shortened symbols, the average proportion 
of punctured and shortened symbols, tt and a respectively, have been calculated together with the average 
efficiency, /, as defined in Eq. |7] 
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TABLE 11 

Average number of rounds needed to correct different error rates with a single but modulated LDPC 

CODE. 



BER 


TV 


V 


s 


% 




/ 


0.055 


0.03 


19900 


100 


0.0995 


0.0005 


1.08664 


0.060 


1.12 


16266 


3734 


0.0813 


0.0187 


1.08144 


0.065 


2.36 


12132 


7868 


0.0607 


0.0393 


1.08651 


0.070 


3.12 


9599 


10400 


0.0480 


0.0520 


1.06883 


0.075 


4.38 


5399 


14601 


0.0270 


0.0730 


1.07841 


0.080 


5.00 


3333 


16667 


0.0167 


0.0833 


1.05895 


0.085 


6.00 





20000 








0.090 


6.00 





20000 









Finally, Fig. |6] shows the reconciliation efficiency curves, calculated according to Eq. [TJ but obtained 
with three different approaches: i) the protocol proposed here where the maximum number of allowed 
rounds has been increased to 20, ii) the original non-interactive protocol |7 |, and iii) an ensemble of 
LDPC codes for different rates. 

V. Conclusions 

In this paper we have studied an interactive information reconciliation protocol. The protocol has 
been analysed empirically and the different trade-offs in terms of decoding complexity, interactivity and 
efficiency have been described. 

The protocol has several advantages. The interactive nature of the reconciliation improves the decoding 
process, whenever the decoding fails, a fraction of the punctured symbols is revealed thus allowing for 
virtually zero error rate after decoding. The adaptive characteristic of the protocol allows to skip measuring 
the error rate on the channel. Several applications can boost their performance if this step is skipped: an 
important example is secret key distillation in QKD protocols. In this context the error rate is measured 
by publicly showing a subset of the sequences and discarding the shown symbols, the elimination of this 
step allows the parties to distill a significantly higher secret key rate. 

The protocol presented on this paper can find a broad range of applications as it allows the parties 
to achieve reconciliation efficiencies as low as desired and, in several scenarios, to avoid the waste of a 
relevant part of the sequence for sampling purposes. 
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Fig. 6. Comparison between the efficiency obtained in the original rate adaptive protocol (non-interactive) using LDPC codes j?) 
and the interactive version proposed here. It is also included the theoretical efficiency computed for the same code, and the 
efficiency calculated for LDPC codes without rate modulation j6|. 
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